Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.
“In this post, we detailed how this TrickBot fresh variant works in a victim’s machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules,” said Xiaopeng Zhang with Fortinet’s FortiGuard Labs threat team in a Monday analysis.
“If [the length is less than 3,100], it will raise an exception and close,” researchers said. “Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.”